Zero Trust Security

Hacking Higher Education

The problem

Ted Harrington
Cyber Security Expert

July 15, 2022

Three and a half months.

That’s how long it was between when cloud provider Blackbaud was hacked in early February 2020, until it was able to identify and disclose the breach in late May 2020. Given the nature of Blackbaud’s business, the impact reverberated all over the globe, including especially in the higher education community in Europe, where personally identifiable information about students and staff was stolen from more than 11 universities, including University of London, University College Oxford, and more.

  • WHAT IT MEANS

    Security is daunting: it’s difficult, expensive, time-consuming, hard to measure, hard to justify, and generally misunderstood. Multiply that by the fact that higher education typically has fewer people and less money to dedicate to the problem than commercial enterprises do. Furthermore, many organizations may already be taking steps, and may even be investing heavily in security, but may be unaware that those investments aren’t going in the right places. Taken together, it means that higher ed is in a tough spot when it comes to cybersecurity.

  • WHAT TO DO 

    So, as a tech leader in higher education, what are you to do with this information? The good news is that despite how daunting the challenge may feel, there are some clear and actionable steps you can (and should!) take right now. These are viable even within the tight resource constraints that all higher education institutions face: Make sure you know what’s going on in your environment, combine both products & services to reduce the likelihood of breach, and work with outside experts to help.

  • STEP 1: KNOW WHAT’S GOING ON IN YOUR ENVIROMENT 

    A crucial element to any security program is what’s known as Defense in Depth, a strategy that layers defenses in order to both minimize the chances an attacker gets in and reduce the damage if an attacker does indeed get in. Imagine a medieval castle: they protect the king’s life by combining defenses such as the moat, drawbridge, fortified interior compartments, kings guard, and more. That’s what Defense in Depth is like. 

  • A crucial aspect of Defense in Depth is logging & monitoring. Logging is the practice of recording events in your environment, while monitoring is intended to detect whether certain activities might signal that an attack is in progress. Make sure you have logging & monitoring in place as a key component of your Defense in Depth strategy.

  • STEP 2: COMBINE PRODUCTS & SERVICES

    The key to Defense in Depth is that there are both tool elements and human elements: you need tools to deliver security benefits (such as logging and monitoring that was just mentioned) but you also need trained people to run the tools. Otherwise, it would be like building a castle but not having any guards in it. However, this seemingly obvious principle is commonly overlooked. If you walk the vendor hall of any major security conference, you’ll be bombarded with promises that simply by buying a given tool, the security problem is entirely solved. You must reject that nonsense, because security simply cannot be entirely automated.

  • Instead, make sure that in addition to tools, you are hiring and training people to run those tools. Furthermore, you want to be engaging services to help you measure the gap between where your security program is today and where it needs to be. This is usually consulting, but also includes security assessments, penetration testing, and more.

  • STEP 3: WORK WITH AN OUTSIDE EXPERT 

    As I wrote about in my #1 bestselling book Hackable: How to do Application Security Right, you want to combine both in-house and external experts in order to accomplish your security mission. In-house experts deliver benefits like efficiency (they can get the right information to help the outside experts be more impactful) and coordination (they know how to navigate the political norms within the organization that an outside expert might not). 

  • Outside experts deliver benefits such as domain expertise (it makes sense for them to have specialties like ethical hackers on staff which probably doesn’t make sense for you to employ full-time) and independence (they say it how it is, even if it isn’t exactly what you want to hear).

    When you combine these benefits, you get a powerful force. This would be like the king who wants to know if his enemy could defeat his castle defenses, so he works with some of his nobles’ knights to come and help him think about and improve his defenses.

SUMMARY

The key takeaway is that the security challenge is indeed daunting, especially for those of you working within the extreme resource constraints of higher education; however, there is a clear path forward to help you accomplish your security mission. Just make sure you have clarity on what’s going on, combine products and services, and get help from the outside. Do these things and you’ll make meaningful, measurable improvements on your security program.

secure network
About the Author

Ted Harrington is the #1 best selling author of HACKABLE: How to Do Application Security Right, and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers.  To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.